Application of Public Key Infrastructure (PKI) in physical access control

The Public Key Infrastructure is beginning to be adopted as a driver in physical access

Traditionally associated with logical access and the digital signing of documents, Public Key Infrastructure (PKI) is now also being used to control physical access. Their use in physical access control is likely to be more prevalent with the implementation of the FIPS 201-2 recommendations this year. Derek Scheips of ASSA Abloy Future Lab explores the benefits of this key infrastructure for physical access systems.PKI is fast becoming a leading driver in controlling physical access largely due to FIPS 201 (Federal Information Processing Standards Publication 201), US government physical-access control specifications recommending PKI at the door. Recommendations since 2005, they are expected to become mandates with FIPS 201-2 later this year.FIPS explained

FIPS offers standards for not only what information should be stored on an ID card, but also best practices for verifying the credential is authentic and in the right person's possession, says Kevin Graebel, product manager of HID credentials at HID Global, a leading manufacturer of physical and logical access control solutions. "A digital certificate is placed on the card with the user's key information/access levels. Then the PKI process sends that information via an electronic bridge to a federal certificate authority, making sure access hasn't been revoked or information tampered with."

Benefits of PKI-based access systems

The primary benefit of a PKI-based access system is that it does not depend on a shared secret key

PKI boils down to the use of a mathematically linked pair of keys, one designated public and the other designated private. The linkage ensures that information processed with one key can only be decoded or validated using the other key.

"The primary benefit of a PKI-based access system is that it does not depend on a shared secret key; instead it uses an asymmetric key pair," says Graebel. "In traditional access systems, the reader and the access card share a symmetric key used to authenticate each other. This requires a great deal of coordination between the cards and readers, especially when the cards may be used at more than one location. Using PKI, only the public key of the card needs to be shared, and it can easily be revoked or changed in the event of a breach. The private key is stored securely within the card."

Many advances in deploying PKIs have led to efficiency and interoperability that make it a natural choice not just for logical but also physical access control. "An organization can use a single PKI smart card, such as a PIV (Personal Identity Verification) card, for physical access to a building and to certain rooms, and for logical access to workstations, servers, VPNs, and so on," notes Dave Coombs, director of PKI Standards and Policy at Carillon Information Security, a Canadian air transport and aerospace identity management consulting firm. "This reduces the complexity of managing access control: manual provisioning or removal of access for a person in dozens of different systems is replaced with the issuance or revocation of a single credential."

Furthermore, recent interoperability advances allow one organization that accepts PIV cards to understand the identity of a visitor with a PIV card from a completely separate organization.

Advances in deploying PKI-based have led to interoperability that make it the natural choice for physical access control

Cost of adopting PKI

But despite PKI's promise, there can be disadvantages, including cost and speed. "At a minimum, organizations will need to create or have access to a Certification Authority to manage the generation and validation of certificates," says Graebel. Depending on how this is implemented, it may require costly rewiring and upgrading of all of their readers."

Contact versus contactless access control cards

The speed is also a bottleneck for physical access control. For durability and vandalism reasons, it is more practical to use contactless rather than contact communication between the card and the reader and then communication can take as much as 1.5 to 2 seconds. This may not seem like a long time, but when users are used to the fraction of a second read times offered by technologies like Prox or iCLASS, it can cause issues.

"One disadvantage we hear about is the perceived slowness of PKI at the door," observes Coombs. "This can be mitigated by caching revocation information or OCSP (Online Certificate Status Protocol) responses, or even by pre-validating every morning each credential that was used at that site the previous day." He predicts that in the coming years: "more and more public and private organizations will be going this route, particularly given the work being done in the US right now."

PKI development in Europe

Of course, many countries have been developing their own PKI methodologies in parallel.

Organisations can use a single PKI smart card for physical access to a building, and access to workstation and certain rooms

The French government issues PKI credentials to its citizens every year to file their income tax, and its General Security Framework (RGS) includes recommendations on securing large-scale IT systems using PKI. "The Belgians have done something similar with their eID card," says Coombs. "It's a PKI-enabled smart card issued to Belgian citizens to authenticate their access to government systems and programs online."

Meanwhile, the German government is leading the way in implementing the European Union directive concerning ‘qualified signature' certificates, the only kind of digital signature that carries the force of law in Europe.

It should be noted that these European initiatives concern only logical access control to information systems, and it is still early days for PKI as a physical access control. At this point, very few public companies are choosing to use PKI for physical access control because of the newness and relative complexity, observes Graebel. "I suspect it will become more common as FIPS 201-2 is implemented and there is a wider variety of products available on the market to support it."

A Technology Report from SourceSecurity.com, produced in collaboration with Oncam Technologies, highlights how a new technology platform that combines cloud-based computing and automated on-site data collection can help businesses with remote monitoring and management.

The white paper outlines how the OnVu360 management platform combines inputs from surveillance systems, access control, intrusion detection systems, and video analytics, among others to improve remote business management and security management across several markets including retail, public security, and home automation.